Why I Don’t Attend the RSA Conference

For years now, I am asked if I will be at the RSA Conference (RSAC). Invariably, I answer no because I will not subject myself to it, or support the conference in any way.

The short answer as to why, is that it is basically the “Comdex” of InfoSec. Overly large, full of flash, and mostly a waste of time. Rather than real value or progress, RSAC offers the same buzzwords and claims of innovation that fail us year after year. The same technology from last year, five years ago, and often ten years ago is rebranded, given a new interface, and sold to us as if it is the next great miracle that will magically solve all of our security woes. Every year, security gets worse, attackers get better, more systems are compromised. RSAC is doing nothing for us.

And then there are the keynotes. The biggest names in InfoSec! People that make the news, lead the biggest companies, boldly take on the title of “visionary” or “thought leader”. They give banal talks that rehash the same ideas that are supposed to be the fundamental core of our business. Rather than providing real help, they offer us crappy analogies and the latest buzzwords. These platitudes fill the seats with professionals that are excited to be there, walk away feeling they got some kind of value, and return to providing mediocre services that consistently fail to secure the networks they consider so valuable.

Watching Tweets from the conference are absolutely disgusting. The blatant fan-boy attitudes, getting excited about free giveaways, bragging about the parties attended. They live-tweet talks that frequently offer the same platitudes and buzzwords as the keynotes. The worst part, they don’t even realize they are part of the problem.

Speaking of the parties, this year has around 70 parties crammed into one week. Remind me, as an industry, what exactly are we celebrating? Record number of data breaches, almost a thousand vulnerabilities disclosed every month, endless malware, new types of attacks that are harder to detect, compliance initiatives that waste time and offer no lasting security. Are we celebrating that? Or that these security companies continue to make stupid amounts of money selling inferior products and solutions?

So no thanks, not interested in attending the security cesspool.

Subway, the Missing Inch, and Karma

In case you hadn’t heard, Subway is embroiled in a lawsuit over them serving up 11″ sandwiches, while advertising them to be 12″. While it doesn’t sound like much, those missing inches add up over time. There is also the whole truth in advertising issue.

I’ve been going to Subway for a long, long time. My first experience was in the early 90’s in Albuquerque. I’ve gone through their phases, including the “V” cut phase, while consistently ignoring the concept of making “every bite equal”. Recently, it involves between 1 and 4 trips a week. I’ve been on a first name basis with a dozen employees of my local Subway over the last 8 years. I offer this to establish that I am a loyal customer and frequent the stores quite often.

My experience at Subway today was so absurd as to be laughable, instead of make me angry. I ordered a 6″ sandwich like usual. The employee took out what appeared to be a 6″ piece of bread, put it on the counter, and consider it. Remember, Subway serves 6″ and 12″ sandwiches, nothing between. After considering it for a second, she cut off about an inch and a half of the bread and put it back in the case. Uh… what?

First, if that wasn’t a 6″ inch piece, it means the person before me didn’t get a 6″ sandwich. Second, if it was, it means she arbitrarily decided to short me an inch. Finally, why keep a 1 – 1.5″ piece of bread that can’t be used for another sandwich? There is simply no logical reason to do that to a customer, especially when Subway is catching grief over shorting people.

In conclusion Subway; after shorting customers for years, is it really such a bad idea to show some good sandwich karma and give a customer an extra inch?

Selling out, a bit at a time…

I sold out when I signed up for Google, Gmail, Facebook, Twitter… might as well sell out a bit more and use WordPress. While guest-blogging recently, I found out that the managed WP site is actually pretty well done for a stable, mostly intuitive blogging platform. This will also help ensure my spew stays around for years to come, even if attrition.org goes away for some reason. In reality, I won’t run blog software on that domain, and doing static HTML for every little quick blog, gripe, or musing is not efficient.

Time permitting, I may actually post and backdate content from other sources, from the previous years as well, since it is so spread out.